Latest Activity

Talking about CXF at Apache Con NA 2015
2 weeks ago

By Sergey Beryozkin
Apache Con NA 2015 will be held in Austin, Texas on April 13-16 and as it is usually the case there will be several presentations done there about Apache CXF. There will be interesting presentations from Hadrian and JB too. There will be many other great presentations as usual.

As far as CXF presentations are concerned:

Aki Yoshida will talk about combining Swagger (Web) Sockets, Apache Olingo and CXF Web Sockets Transport - now, this is seriously cool ...
Continue reading →

Apache CXF is getting JOSE ready
2 weeks ago

By Sergey Beryozkin
I've already talked about JOSE on this blog. In my opinion, it is one of the key technologies, alongside OAuth2, that will deeply affect the way developers write secure HTTP RS services in the years to come.

A one sentence summary: one can use JOSE to secure, sign and/or encrypt a data content in any format, JSON, text, binaries, anything. JOSE is a key component of an advanced OAuth2 application, but also is a good fit for securing the regular HTTP ...
Continue reading →

Camel CXFRS Improvements
2 weeks ago

By Sergey Beryozkin
Camel CXFRS is one of the oldest Camel components which was created by Willem Jiang, my former colleague back from IONA Technology days, and maintained by Willem since its early days.

Camel is known to be a very democratic project with respect to supporting all sort of components, and it has many components that can deal with HTTP invocations. CXFRS is indeed just one of them but as you can guess from its name it is dedicated to supporting HTTP ...
Continue reading →

Apache Karaf Tutorial Part 9 - Annotation based blueprint and JPA
3 weeks ago

By Christian Schneider

Blog post edited by Christian Schneider

Writing blueprint xml is quite verbose and large blueprint xmls are difficult to keep in sync with code changes and especially refactorings. So many people prefer to do most declarations using annoations. Ideally these annotations should be standardized so it is clearly defined what they do.blueprint-maven-plugin

The aries ...


Continue reading →

Apache Karaf Tutorial Part 9 - Annotation based blueprint and JPA
3 weeks ago

By Christian Schneider

Blog post edited by Christian Schneider

Writing blueprint xml is quite verbose and large blueprint xmls are difficult to keep in sync with code changes and especially refactorings.
So many people prefer to do most declarations using annoations. Ideally these annotations should be standardized so it is clearly defined what they do.

blueprint-maven-plugin

The aries ...


Continue reading →

Apache Karaf Tutorial Part 6 - Database Access
3 weeks ago

By Christian Schneider

Blog post edited by Christian Schneider - "Corrections"

Shows how to access databases from OSGi applications running in Karaf and how to abstract from the DB product by installing DataSources as OSGi services. Some new Karaf shell commands can be used to work with the database from the command line. Finally JDBC and JPA examples show how to use such a DataSource from ...
Continue reading →

New Apache WSS4J and CXF releases
1 month ago

By Colm O hEigeartaigh
Apache WSS4J 2.0.3 and 1.6.18 have been released. Both releases contain a number of fixes in relation to validating SAML tokens, as covered earlier. In addition, Apache WSS4J 2.0.3 has unified security error messages to prevent some attacks (see here for more information). Apache CXF 3.0.4 and 2.7.15 have also been released, both of which pick up the recent WSS4J
Continue reading →

Unified security error messages in Apache WSS4J and CXF
1 month ago

By Colm O hEigeartaigh
When Apache WSS4J encounters a error on processing a secured SOAP message it throws an exception. This could be a configuration error, an invalid Signature, incorrect UsernameToken credentials, etc. The SOAP stack in question, Apache CXF for the purposes of this post, then converts the exception into a SOAP Fault and returns it to the client. However the SOAP stack must take care not to leak information (e.g. internal configuration details) to an ...
Continue reading →

Two new security advisories released for Apache WSS4J
1 month ago

By Colm O hEigeartaigh
Two new security advisories have been released for Apache WSS4J, both of which were fixed in Apache WSS4J 2.0.2 and 1.6.17.
  • CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack
  • CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
Please see the Apache WSS4J security advisories page for more
Continue reading →

New SAML validation changes in Apache WSS4J and CXF
1 month ago

By Colm O hEigeartaigh
Two new Apache WSS4J releases are currently under vote (1.6.18 and 2.0.3). These releases contain a number of changes in relation to validating SAML tokens. Apache CXF 2.7.15 and 3.0.4 will pick up these changes in WSS4J and enforce some additional constraints. This post will briefly cover what these new changes are.

1) Security constraints are now enforced on SAML Authn (Authentication) Statements

From the 1.6.18 and 2.0.3 WSS4J releases, security ...
Continue reading →

Single Logout with Fediz - WS-Federation
1 month ago

By Jan Bernhardt
WS-Federation is primarily used to achieve Single Sing On (SSO). This raises the challenge how to securely logout from multiple applications once the user is done with his work. To navigate to each application previously used to hit the logout button would be quite inconvenient. Fortunately the WS-Federation standard does not only define how to do single sign on, but also how to do single logout.

In this blog I'll explain how to setup a demonstrator ...
Continue reading →

LDAP support in Apache Camel
2 months ago

By Colm O hEigeartaigh
Apache Camel allows you to add LDAP queries to your Camel routes via the camel-ldap and camel-spring-ldap components. The camel-ldap component allows you to perform an LDAP query using a filter as the message payload. The spring-ldap component is a wrapper for Spring LDAP, and is a bit more advanced than the camel-ldap component, in that it also supports the "bind" and "unbind" operations, in addition to "search".

I've created two test-cases that show ...
Continue reading →

Apache Santuario - XML Security for Java 2.0.3 and 1.5.8 released
2 months ago

By Colm O hEigeartaigh
Versions 2.0.3 and 1.5.8 of Apache Santuario - XML Security for Java have been released. Version 2.0.3 contains a critical security advisory (CVE-2014-8152) in relation to the new streaming XML Signature support introduced in version 2.0.0:
For certain XML documents, it is possible to modify the document and the streaming XML Signature verification code will not report an error when trying to validate the signature.

Please note that the "in-memory" ...
Continue reading →

How fast is CXF ? - Measuring CXF performance on http, https and jms
2 months ago

By Christian Schneider

Blog post edited by Christian Schneider

The performance numbers in this article are a bit out of date

Icon

For a more current JMS performance measurement see Revisiting JMS performance. Improvements in CXF 3.0.0.

On a 2014 system http performance should be around 10k - 20k ...


Continue reading →

XML Advanced Electronic Signature (XAdES) support in Apache Camel
2 months ago

By Colm O hEigeartaigh
I have previously covered some XML Signature and Encryption testcases in Apache Camel. Camel 2.15 will feature some new limited support for XML Advanced Electronic Signatures (XAdES) in the XML Security component. This post will briefly cover what XML Advanced Electronic Signatures are, and show how they can be produced in Camel. No support exists yet for validating XAdES Signatures in Camel. Note that as Camel 2.15 is not yet released, some of the ...
Continue reading →

Signing and encrypting Apache Camel routes
2 months ago

By Colm O hEigeartaigh
A recent blog post looked at using the XML Security component and dataformat in Apache Camel to sign and encrypt XML documents. However, what if you wish to secure non-XML data? An alternative is to use the Apache Camel Crypto component and dataformat. The Crypto component provides the ability to sign (and verify) messages (using the JCE). Similarly, the Crypto dataformat allows you to encrypt (and decrypt) messages (again using the JCE). Another ...
Continue reading →

[OT] U2: "We were pilgrims on our way"
3 months ago

By Sergey Beryozkin


"The Miracle (of Joey Ramone)" from the last U2 "Songs of Innocence" album is a refreshing song. The actual album's content is strong. Not necessarily easy to listen though but it is been played in my car's CD player more or less every time I go driving for the last few weeks. The trick is, after listening to it for the first time, do a few days pause, and then listen again with a volume much higher than last time. It's a blast.

I still do like U2 ...
Continue reading →

No Data No Fun !
3 months ago

By Sergey Beryozkin
Continuing with the theme of T-shirts, I'd like to let you know "No Data No Fun" is a cool line printed on my T-shirt I got at a Talend R&D summit organized at a second-to-none level back in early October. I guess having a collection of good T-Shirts is one of the real perks of the developers involved into the open source development :-)

"No Data No Fun" is also one of the themes behind Talend's continued investment into the tooling which ...
Continue reading →

Get into OAuth2 with Client Credentials Grant
3 months ago

By Sergey Beryozkin
One of the possible barriers toward OAuth2 going completely mainstream is the likely association of OAuth2 with what big social media providers do and the assumption OAuth2 is only suitable for their business, for the way their users interact with these providers.

In fact, OAuth2 is more embracing. Client Credentials grant, one of several standard OAuth2 grants,  provides the easy path for the traditional clients toward starting working with ...
Continue reading →

New SSL/TLS vulnerabilities in Apache CXF
3 months ago

By Colm O hEigeartaigh
Apache CXF 3.0.3 and 2.7.14 have been released. Both of these releases contain fixes for two new SSL/TLS security advisories:
  • Note on CVE-2014-3566: This is not an advisory per se, but rather a note on an advisory. CVE-2014-3566 (aka "POODLE") is a well publicised attack which forces a TLS connection to downgrade to use SSL 3.0, which in turn is vulnerable to a padding oracle attack. Apache CXF 3.0.3 and 2.7.14 disable SSL 3.0 support by default for ...

Continue reading →
More Articles (+10)

Pages

Subscribe to Talend Community Coders aggregator